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ABSTRACT 



An encoded bitstream assembled by an audio or video 
encoder is encrypted. The assembled encoded bitstream has 
a syntax. Data is scjected in the assembled encoded bit- 
stream, which data is less than all of the data in the bitstream 
and which, if encrypted, would result in a partly-encrypted 
bitstream that doefe not violate the syntax of the assembled 
encoded bitstream and would render reproduced audio or 
video resulting from an undecrypted decoding of the partly- 
encrypted bitstream to be of degraded quality. The selected 
data in the assembled encoded bitstream is encrypted to 
provide the partly encrypted bitstream. 
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PARITAL ENCRYPTION OF ASSEMBLED 
BITSTREAMS 

TECHNICAL FIELD 

[0001] The invention relates to data encryption. More 
particularly, the invention relates to encrypting portions of 
assembled data and more particularly of encoded audio or 
video data. 

BACKGROUND ART 

[0002] Data encryption is used to securely transmit infor- 
mation over an insecure channel. A mathematical transfor- 
mation is applied to the information in such a way that it is 
very diffieult-t© undo the transformation. Akey, which is just 
a large number, controls the encryption and decryption 
algorithm. Asymmetric key algorithm uses the same key to 
encrypt and decrypt the data. An asynimetric key algorithm 
uses two different but related keys where one is used to 
encrypt and the other is used to decrypt the data. 

[0003] Algorithms for data encryption tend to be compu- 
tationally expensive especially on general-purpose proces- 
sors that operate on words rather than single bits. The current 
standard DES algorithm operates in this fashion. Generally, 
the larger the size of the key the more computationally 
expensive the algorithm will be. 

[0004] A secure encryption algorithm assumes that an 
attacker knows everything about the system except for the 
key that is needed to decrypt the stolen information. Under 
ideal conditions, the only successful attack would be an 
exhaustive key search, in which the attacker must apply 
every possible key to the entire set of encrypted data, and 
then analyze the decrypted result to sec if it was sensible. If 
this is the only possible attack, the system can be made 
secure in practice by choosing a large enough key size (i.e., 
the time required to test every possible key would be 
impractical). 

[0005] In many systems, a significant weakness can be 
used to reduce the time required to perform an exhaustive 
key search. This weakness occurs when the decrypted data 
is known to contain recognizable information. For example, 
if the encrypted data was known to be English text, statistics 
from the decrypted data could determine when something 
close to the English language was found. This would indi- 
cate a potential key. If certain words were known to exist 
within the decrypted text, it would be even easier to find 
potential keys. 

[0006] In addition, it may be possible to perform a more 
efficient exhaustive key search if the encrypted.data contains 
internal BepeSe'nciesr If the data to be encrypted is l 
bitstream, and the specific values of certain bitstream ele- 
ments determine the existence or size of subsequent bit- 
stream elements, these dependencies can be exploited by an 
attacker. As an example, consider a frame based bitstream 
syntax in which the overall frame size is known, and for 
which one or more parameters are optionally included based 
on the value of other parameters. An attacker performing an 
exhaustive key search may find that, for a certain group of 
keys, the decrypted bitstream indicates the inclusion of these 
optional parameters, and as a result the frame size is longer 
than it should be (this is called an overflow condition). Such 
a decrypted bitstream is an "illegal" bitstream that violates 



the bitstream's syntax. In this case, the attacker can conclude 
that the correct decryption key is not in this group, which 
may save considerable time in completing the exhaustive 
search. Similar cases exist in underflow conditions, in which 
the decrypted syntax fails to use enough of the available bits 
in the frame to constitute a legal bitstream. Finally, if one or 
more of the parameters in a bitstream is precluded from 
taking on certain specific values, occurrence of these values 
can help an attacker rule out keys (this is called an illegal 
value condition and is another example of an illegal bit- 
stream that violates the bitstream 's syntax). 

[0007] A possible way to make the system more robust to 
attacks is to hash the data before it is encrypted. A hash 
fiinction randomizes the data so that statistics and keywords 
cannot be used to help in an attack. Sev^eral problems exist 
with this method. It must be assumed that the attacker knows 
the hash function and can undo it. In addition, the hash 
function uses more processing power, further increasing the 
computational cost. 

[0008] Many data reduction systems exist that block pro- 
cess input data such as audio and video. These systems 
generally stnictmre the compressed data in a predetermined 
fashion. The data is broken into blocks or frames that are 
independently decodable over some amoiml of time. The 
frames may consist of both fixed information (i.e., it is 
invariant from frame to frame) and variable information (ie., 
it changes from frame to frame). Directly encrypting all of 
the data in these frames leads to the problems mentioned 
above, such as the large amount of processing required and 
the security problems with known keywords that could help 
an attacker determine the key. Known keywords contained 
within the fixed information such as sync words, data rate 
and other metadata change little or not at all from frame to 
frame and to could be used to allow an attacker to devise an 
attack that would require less work than an exhaustive key 
search. 

[0009] U.S. Pat. No. 5,636,279 discloses a scramble appa- 
ratus for scrambling data including a variable length code. In 
one embodiment the scramble apparatus receives an MPEG 
encoded video signal as an input signal. The input signal is 
supplied to a code detecting unit that has a is codebook used 
to reproduce each code in order to read the content of all data 
in the input signal. Based on the output signal of the code 
detecting apparatus selected portions of the input signal are 
scrambled. The need of a code detecting unit to decode the 
received bitstream prior to scrambling makes this known 
apparatus complex and expensive. 

[0010] It is known to encrypt a variable information 
portion of a frame prior to assembly of the output bitstream 
by an encoder (German patent DE„199 07 964^C1,.U.S.-Pat,.^ 
No, 5,636,279). However, this approadK has several disad- 
vantages. It is complex, requiring the encryption to be 
applied within the encoder rather than to the assembled 
bitstream. This complexity renders it impractical for the case 
in which multiple copies of a bitstream, each encrypted with 
a different encryption key, are to be sent to multiple users. 
In addition, if the encryption is applied to data within an 
encoder prior to entropy encoding, such as Huffan coding, 
the encryption tends to defeat the entropy coder's coding 
advantage (encryption tends to "whiten" the data, leaving 
fewer redundancies in the data for the entropy coding to 
reduce). Thus, there remains a need for an improved data 
encryption method. 
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DISCLOSURE OF THE INVBNTION 

[0011] In accordance with a first aspect of the present 
invention, there is provided a method for encrypting an 
encoded bitstream assembled by an audio or video encoder, 
the assembled encoded bitstream having a syntax. Data in 
the assembled encoded bitstream is selected, which data is 
less than all of the data in the bitstream and which, if 
encrypted, would resuU in a partly-encrypted bitstream that 
does not violate the syntax of the assembled encoded 
bitstream and would render reproduced audio or video 
resulting from an undecrypted decoding of the partly-en- 
crypted bitstream to be of degraded quality. The selected 
data in the assembled encoded bitstream is encrypted to 
provide the partly encrypted bitstream. In accordance with a 
further aspect of the invention, the^syntax is-a modification 
of the normal syntax of the encoder for the assembled 
encoded bitstream when the partly-encrypted bitstream 
would violate the normal syntax of the assembled encoded 
bitstream, wherein the normal syntax is modified so that 
when the selected data is encrypted the resulting partly- 
encrypted modified bitstream does not violate the modified 
syntax of the assembled encoded bitstream. 

[0012] System security does not necessarQy require pre- 
venting an attacker from gaining some knowledge about the 
data that is sought to be protected. Even if some of the 
bitstream elements are visible in the clear, if enough of the 
bitstream is encrypted, it may be impossible to make mean- 
ingful use of the data without properly decrypting it. For 
example, audio data may be of no use if it is unintelligible 
or of degraded quality, even if the attacker is able to see 
some of the associated metadata conveyed in the bitstream. 

[0013] In accordance with the present invention, secxirity 
is enhanced by encrypting only a portion of an assembled 
bitstream rather than all of it. Encryption of elements in an 
assembled bitstream whose values are known or statistically 
likely is not preferred. Encryption of those elements with the 
highest entropy in the assembled bitstream is preferred. For 
example, if the encoder employs an entropy coding algo- 
rithm, it is preferred to encrypt at least part of the entropy- 
coded data portion of the assembled bitstream, such as at 
least part of the portion of the bitstream data that has been 
Hufi&nan coded, arithmetic coded or Gain Adaptive Quan- 
tization (GAQ) coded. If the encoder does not employ an 
entropy-coding algorithm, then it is preferred to encrypt at 
least part of the highest entropy portions (e.g., those portions 
that are not repetitive and are the least predictable) of the 
bitstream. Encryption of one or more elements in an 
assembled bitstream that would cause the resulting partially 
encrypted bitstream to violate the syntax of the assembled 
bitstream (i.e., to cause an illegal bi;stream.by-causing,,for 
example, overflow, underflow, or illegal value conditions)'is 
not preferred. 

[0014] In order to avoid overflow or underflow conditions 
when encryption is applied to the entropy-encoded data 
portions in the assembled bitstreams produced by certain 
types of encoders (e.g., encoders employing gain adaptive 
quantization), it may be necessary to modify the syntax of 
the encoder's bitstream in order to allow the rc-ordering of 
data in the assembled bitstream. 

[0015] With respect to other types of entropy-type encod- 
ers (e.g., encoders employing Huffman coding or arithmetic 
coding), to avoid triggering overflow or underflow condi- 



tions, it may be necessary to modify the encoder's syntax to 
allow padded data to be added, for example by appending it 
to the end of the frame or block in whidi such overflow or 
underflow occurs. 

[0016] In addition to enhancing security, the present 
invention reduces overall computational complexity, 
because fewer data words are encrypted and subsequently 
decrypted. The computational complexity is also reduced 
because the encryption is performed directly on an 
assembled bitstream (the multiplexed bitstream output of an 
encoder). This prevents having the added complexity of 
involving an encoder or decoder in the encryption process. 
An advantage of encrypting an assembled bitstream (not 
involving the encoder or decoder) is that separately 
encrypted bitstreams can be prepared for different marketsr 
and/or destinations. 

[0017] Encrypting large amounts of data is computation- 
ally expensive. It would be useful if data could be encrypted 
at a low computational cost at the point of distribution. This 
would ensure that data could be personalized to a limited 
number of end users at any time. For example, in a Video on 
Demand (VOD) system a large amount of data is encrypted 
and distributed over a network. If this content is stored in an 
encrypted format, it will always have the same key to 
decrypt the material. Once a user acquires a decryption key, 
the user would always have access to the material. If it were 
possible to encrypt at the point of distribution, more control 
over the content would exist. This is possible, according to 
the present invention, because encryption is applied to an 
assembled bitstream rather than in the coding process prior 
to assembling the encoded bitstream. 

[0018] The present invention describes how encryption 
can be separated from a compression systems in a way the 
lowers the computational cost of security. It also supports a 
distribution model that can use this to protect transmitted 
data to end-users. ^ 

DESCRIPTION OF THE DRAWINGS 

[0019] FIG. 1 is a concepmal block diagram showing 
generally the manner in which encryption is applied in 
accordance with asi>ects of the present invention. 

[0020] FIG. 2 is a concepmal block diagram showing 
generally the maimer in which decryption is applied in 
accordance with aspects of the present invention. 

[0021] FIG. 3 is an idealized diagram (it is not to scale) 
showing the format of a typical encoded audio frame gen- 
erated by a transform type encoder in which the audio data 
is represented by exponents and quantized mantissas. 

[0022] ' FIG. 4- is a conceptual block diagram showing 
generally the manner in which encryption is applied in 
accordance with aspects of the present invention in which 
the bitstream syntax is modified. 

[0023] FIG. 5 is a conceptual block diagram showing 
generally the manner in which decryption is applied in 
accordance with aspects of the present invention in which 
the bitstream syntax is modified. 

BEST MODE FOR CARRYING OUT THE 
INVENTION 

[0024] FIG. 1 is a concepmal block diagram showing 
generally the manner in which encryption is applied in 
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accordance with aspects of the present invention. An audio 
or video signal is applied to an audio or video encoder 
function or process 2, the output of which is applied to a 
multiplexer function or process 4 that assembles an encoded 
bitstream in accordance with a syntax. The multiplexer 
function or process typically is part of the encoder function 
or process but is shown separately here for discussion 
purposes. The assembled encoded bitstream is then 
encrypted by an encrypter function or process 6 using a key, 
as discussed above. The choice of any particular encryption 
process is not critical to the invention. The encrypter func- 
tion or process output is a protected bitstream. In the 
protected bitstream, less than all of the data in the bitstream 
is encrypted, the partly-encrypted bitstream does not violate 
the syntax of the assembled encoded bitstream of multi- 
plexer 4 and would render reproduced audio or video 
resulting from an undecrypted decoding of the partly-en- 
crypted bitstream to be of degraded quality. The degree of 
degradation depends at least on how much of the bitstream 
is encrypted and the encryption applied. An acceptable level 
of quality degradation may be determined by the user. 

[0025] FIG. 2 is a conceptual block diagram showing 
generally the manner in which decryption is applied in 
accordance with aspects of the present invention. The pro- 
tected bitstream is applied to a decrypter function or process 
8 that also receives the same key as used by encrypter 
function or process 6 for encrypting the protected bitstream. 
The decrypted bitstream is then demultiplexed by a demul- 
tiplexer function or process 10 and applied to an audio or 
video decoder function or process 12 that provides a 
decoded audio or video signal. In the absence of a conect 
key applied to decrypter fimction or process 8, the repro- 
duced audio or video is of degraded quality. 

[0026] Aspects of the invention apply both to audio and 
video encoders and decoders, particularly perceptual encod- 
ers and decoders in which time domain audio or video 
signals are transformed into the frequency domain and 
frequency coefficients are quantized using perceptual mod- 
els in order to reduce the amount of data in the encoder's 
output. A large portion of the data in a perceptual audio or 
video compression system is entropy-coded data. This data 
generally occurs in the same location in the encoded frames, 
at the frame rate of the compression system. In accordance 
with the present invention, a distribution server (a server 
distributing audio or video content to multiple users), for 
example, may encrypt only a small portion of the data in a 
fixed location in frames as it transmits assembled bitstreams. 
This would make it unnecessary for the server to parse 
(partiallyr decode the,. bitstream to identify • high-entropy 
portions of the bitstream) the bitstream and encrypt specific 
portions of the data or to decode the bitstream, encrypt it and 
re-encode it. 

[0027] If one considers audio data reduction systems such 
as MPEG-AAC, Dolby E or video reduction systems such as 
MPEG-1, 2 and 4, all contain some type of entropy coder as 
part of the compression algorithm ("Dolby** is a trademark 
of Dolby Laboratories Licensing Corporation). An entropy 
coder reduces the data size by removing the redundancies in 
the data set. The entropy-coded data set has a 'whitened* 
characteristic because the processing flattens the probability 
density function (PDF). This data set is optimal for encryp- 
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tion because very little information can be inferred from this 
whitened data set. The entropy coder creates a similar output 
to that of a hashed data set. 

[0028] Also of interest are other audio and video data 
reduction systems, such as the Dolby AC3 audio system, 
which do not employ entropy coding as a part of the 
compression algorithm, but which, nevertheless, generate 
bitstreams having portions that have higher entropy (e.g., the 
quantized mantissas of the frequency coefficients) than other 
portions (e.g., syncwords, bitstream information, and the 
like). 

[0029] In such audio and video data reduction systems that 
employ entropy coding or other types of coding that gener- 
ates high entropy bitstream portions, the syntax of the 
^"coding "algbfithm identifies the portions of the assembled 
data stream that are entropy coded or have high entropy. 
Typically, entropy coded portions or high entropy portions 
include scalefactors, exponents and quantized coefficients. 
The entropy coded or high entropy data is usually a high 
percentage of the assembled bitstream and is often located al 
the end of a frame. Because such entropy coded or high 
entropy portions are usually located in the same position in 
each frame, they are readily located for encryption and 
decryption, thus avoiding the complexity of parsing or 
decoding the bitstream in order to encrypt all or a part of 
them. 

[0030] FIG. 3 is an idealized diagram (it is not to scale) 
showing the format of a typical encoded audio frame gen- 
erated by a transform type encoder in whidi the audio data 
is represented by exponents and quantized mantissas (for 
example, Dolby AC3, which is described in more detail in 
the document Digital Audio Compression (AC-3) Standard. 
Approved Nov. 10, 1994. (Rev 1) Annex A added Apr. 12, 
1995. (Rev 2) 13 corrigendum added May 24, 1995. (Rev 3) 
Annex B and C added Dec. 20, 1995). In this example, each 
'1 frame has a constant length (the same number of bits). 
Typically, each frame begins with some sync bits followed 
by bitstream information (BSI), exponents and quantized 
mantissas. The highest entropy data are the quantized man- 
tissas at the end of the frame. Preferably, the quantized 
mantissas, or a portion of the quantized mantissas (as 
shown) are encrypted. Doing so will result in substantial 
degradation of the decoded bitstream unless the bitstream is 
properly decrypted. Less degradation results if the expo- 
nents or a portion of the exponents are encrypted (the 
exponents have lower entropy than the quantized mantissas). 
It is undesirable to encrypt the sync word or the BSI bits 
because they are repetitive from frame to frame or are 
predictable and such encryption would aid an attacker. 

mw. [0031]^ - Ideally,'' in order td* rhaximize 'security,-the partially 
encrypted bitstream should not violate the encoder's syntax, 
but should result in an output, when decoded, of degraded 
quality. If the bitstream violates the encoder's syntax, then 
an attack is simplified — the attacker need only find a key that 
legalizes the bitstream syntax. If however, the bitstream 
syntax is legal, an attack is more difficult — the attacker need 
only find a key that restores the audio or video quality, a 
much more complex task and one that may be difficult to 
automate. 

[0032] Encrypting some or all of a frame generated by 
some encoders may result in an illegal bitstream, a bitstream 
that violates the syntax of the encoder. Such a bitstream 
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would not be "decodable** by a decoder that expects a 
bitstream in accordance with the encoder's syntax, which 
would simplify the task of an attadcer, as mentioned just 
above. For example, some entropy -coded data (e.g., Huff- 
man-encoded data) contain backward dependencies that are 
broken by encryption. Such broken dependencies cause the 
decoding algorithm to finish decoding the frame before the 
end of the frame or to continue decoding past the end of the 
frame. These are overflow and underflow conditions that 
would indicate to an attacker that it does not have the correct 
key, which would significantly simplify an attack. The 
system is more secure if the attacker is forced to use other 
means to determine if it has the correct key, such as 
searching for a key that restores degraded audio or video. 

[0033] Overcoming the problem of encrypting entropy-^' 
coded data requires a modification of the bitstream data, for 
example, bitstream re-ordering or the addition of padded 
data, and, consequently, a modification of the bitstream 
syntax. FIG. 4 shows generally how this may be accom- 
plished. An audio or video signal is applied to a standard 
entropy-type encoder function or process 14. The assembled 
encoded bitstream produced by encoder function or process 
14 is applied to a syntax modifier function or process 16. An 
encrypter function or process 18, in accordance with an 
applied key, then encrypts the bitstream, modifying the 
bitstream so that the modified bitstream is in accordance 
with the modified syntax to produce the protected bitstream. 
In practice, the functions of syntax modifier function or 
process 16 and encrypter function or process 18 may be 
closely interrelated. They are shown as separate functions 
for explanatory purposes. As shown in FIG. 5, the protected 
bitstream is applied to a decrypter function or process 20, 
which receives the same key as encrypter function or 
process 18. The decrypter function or process 20 also 
restores the modified bitstream to its unmodified state (as it 
was produced by the entropy-type encoder 14). A syntax 
restorer function or process 22 restores the original syntax of 
the bitstream produced by the entropy-type encoder function v.- 
or process 14. As in the case of functions 16 and 18 of FIG. 
3, in practice, the functions of decrypter fimction or process 
20 and syntax restorer function or process 22 may be closely 
interrelated or combined and are shown as separate func- 
tions for explanatory purposes. The restored bitstream hav- 
ing its original syntax is applied to a standard entropy-type 
decoder function or process 24, which provides a decoded 
audio or video signal. 

Huffman Coding 

[0034] Hufihnan coding is an example of an entropy-type 
coding that cannot be conventionally encrypted without 
affecting the legality of the resulting bitstream. This type of 
,vientropy.,coding generates uniquely decodable symbols based i, 
on the probabilities of occurrence of each symbol. The 
following table shows an example set of symbols, probabili- 
ties for the symbols and two sets of possible Huffman codes. 
Note that any combination of code words is uniquely 
decodable. 



Symbol Probability Code Word 1 Qxle Word 2 

0 0.4 1 00 

1 0.2 01 10 

2 0.2 000 11 



-continued 



Symbol 


PrcAiability 


Ctode Word 1 


Code Word 2 


3 


0.1 


0010 


010 


4 


0.1 


0011 


Oil 



[0035] In practical implementations of Huffman coding, 
muh^jle sets of pre-calculated Huffman codes are fixed in 
the encoder and decoder so that these codebooks do not have 
to be included in the compressed bitstream. The encoder 
chooses the codebook that provides the largest coding gain. 
The problem with conventionally encrypting the Huffman 
■data is.that the encrypted data will not properly decode (i.e. 
it results in an illegal bitstream), thus giving useful infor- 
mation to an attacker. 

[0036] The following example shows, in the second line of 
the table, the encoded output of the Huffman coded symbols 
0, 1, 2, 3, 4 using 'Code Word 1* from the above table. For 
clarity in this example, a space is shown between each of the 
encoded symbols in line 2. Line 3 shows the encoded output 
with no spaces. A simple encryption technique of inverting 
each bit is applied to the data and the corresponding output 
is shown in the fourth line of the table. Line 5 shows the 
flippcd-bit-encrypted data but parsed and spaced in groups 
of the Code Word set 1 code words. The last line shows the 
output symbols corresponding to each code word in the fifth 
line. Thus code '*01" results in an output of "1" and code 
word "1" results in an output of "0." 



1) Input Symbols 


0, 1, 2, 3, 4 


2) Huffman Encoded output 


1 01 000 0010 0011 


3) Huffman Encoded output 


10100000100011 


4) Encrypted output (Bit flipper) 


01011111011100 


5) Encrypted output (Bit flipper) 


01 01 1 1 1 1 01 1 1 00 


6) Decoded Output Symbols 


1, 1, OA 0 


7) Decoded Ou^ut Symbols (with 


1, 1, 0, 0, 0, 0, 1, 0, 0, ? 


assumed padding) 





[0037] An attacker with knowledge of the number of input 
symbols (it is assumed that an attacker would have such 
knowledge), but who docs not have the correct decryption 
key, would obtain the incorrect decoded output symbols 
shown in line 6. The attacker would note that there are 
unallocated encrypted output symbols (line 5) but would 
likely assume that padding bits had been added to the 
Huffrnan encoded output (line_j3)J^fqreje^^ Thus, an 

^attacloer who assumes padding would ofitain the decoded 
output symbols shown in line 7 (although the attacker would 
likely ignore that extended output if it was assuming pad- 
ding had occurred and knew there was supposed to be only 
five symbols. However, in this example, no random padding 
bits were added to the Hiiffman encoded output of line 3. If 
padding bits had been added, there would have been even 
more additional decoded output signals. Either way, the 
attacker finds an illegal bitstream but obtains no information 
useful in the attack. However, as explained further below, it 
is desirable to add padding bits to the Huffman encoded 
output in order to make an attack more difficult when there 
would be underflow in the absence of padding bits. 
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[0038] lo the above example and the following example 
that the extraneous bits at the end of the encrypted outputs 
(yielding the decoded symbols) are of no concern 
because in practical systems the bit allocation process rarely 
allocates exactly, so there are always a few remaining bits. 

[0039] The following example illustrates that adding pad- 
ding bits provides protection against attackers for underflow 
conditions. 



1) Input Symbols 


0, 0, 1, 1> 4, 1 


2) Huffinem Eocodcd output 


1 1 01 1 0011 01 


3) HufiBman Encoded output 


11011001101 


4) Encrypted output (Bit flipper) 


00100110010 


, _5). Encrypted ou^t (Bit fl^pcr) 


0010 01 1 0010 


6) Decoded Output Symbols 


3, 1, 0, 3 


7) Encrypted output ^it flipper) w/ 


OOlOOllOOlOlOlO 


padding 




8) Encrypted cwtput (Bit flipper) w/ 


0010 01 1 QOlO 1 01 0 


padding 




9) Decoded Output Symbols w/ 


3. 1, 0. 3. 0, 1, ? 


padding 





[0040] In this underflow example, the random bits " 1010" 
are added to the encrypted output. Consequently, there are 
six input symbols and six output symbols (without padding 
there would have been only four output symbols). Tlius, the 
four-bit padding prevents an underflow, which would have 
provided useful information to an attacker. 

Gain Adaptive Quantization 

[0041] Gain adaptive quantization is a type of entropy 
coding; different from Huf&nan-typc entropy coding that 
limits the variable code word length to two different states. 
Gain adaptive quantization is described in U.S. Pat. No. 
6,246^5 by Davidson, Grant; Robinson, Charles; Truman, 
Michael, entitled "Using Gain Adaptive Quantization and 
Non-Uniform Symbol Lengths for Improved Audio Cod- 
ing,** which patent is incorporated by reference herein in its 
entirety. 

[0042] Gain adaptive quantization divides a set of num- 
bers into two groups. One group contains smaller numbers, 
which require fewer digits to express the required resolution, 
while the other group contains the remaining larger num- 
bers. The coding efiBciency is derived from the fact that the 
smaller numbers occur more frequently, which creates a 
skewed distribution. 

[0043] There exists several possible ways of formatting 
this type of data into an output stream. One possible method 
places each element in order. into the stream. Generally, the 
■ elements Se'fiiom thc'^inall set'; iHus an escape code is used 
to indicate the presence of an clement from the large set. The 
following example stream shows a mixed group of small (S) 
and large (L) numbers with escape codes (E): 

SSSSELSSELSSSS 

[0044] S numbers and E numbers have the same number 
of bits (for a particular perceptual model bit allocation) but 
can be differentiated by their bit patterns. There are a fixed 
number of S and E numbers— one for each frequency 
coeflScient (the encoder employing GAQ is a transform 
coder in which frequency coefficients are quantized). 
Although the L numbers are all of the same length (for a 



particular perceptual model bit allocation), there are a vari- 
able number of L numbers, leading to a variable bitstream 
length and, consequently, an illegal bitstream when the 
stream is encrypted (i.e., an underflow condition). One way 
to overcome the problem is to reorder the data stream by 
locating the large (L) numbers at the end of the stream: 

SSSSESSESSSS IX 

[0045] In this reordered data stream example, there are 
two groups of code words — the small numbers and escape 
codes are one, and the large numbers are another. Each 
group contains internal elements that are the same length. 
Only the large number group can be encrypted without the 
variable-length coding problem discussed above. The first 
set of small numbers and. escape codes contains useful 
information to an attacker because the number of escape 
codes indicates the number of elements in the large group. 
An illegal syntax causing an underflow could occur when 
the encrypted set of small numbers and escape codes are 
decoded without the correct key. Encrypting only the large 
set would significantly impair the quality of the output signal 
without the proper key. Another possible re-ordering 
removes the escape codes from the small group. These codes 
are then placed in yet a different group to indicate the proper 
location of a large number. This would allow the small group 
to be encrypted without any fixed codes (escape codes). 
However, it would have the disadvantage of having to 
modify the bitstream syntax in the manner of FIGS. 3 and 
4, described above. For example, starting from the last 
example, above, the "5^ " and "8^' elements indicate the 
positions in the S code words in which the L code words 
should be placed: 

5^ 8 SSSSSSSSSS LL 

[0046] It should be understood that implementation of 
other variations and modifications of the invention and its 
various aspects wiU'be apparent to those skilled in the art, 
and that the invention is not limited by these specific 
embodiments described. It is therefore contemplated to 
cover by the present invention any and all modifications, 
variations, or equivalents that faU within the tme spirit and 
scope of the basic underlying principles disclosed and 
claimed herein. 

[0047] The present invention and its various aspects may 
be implemented as software functions perfonmed in digital 
signal processors, programmed general-purpose digital 
computers, and/or special purpose digital computers. Inter- 
faces between analog and digital signal streams may be 
performed in appropriate hardware and/or as functions in 
software and/or firmware.. . . . 

1. A method for encrypting an encoded bitstream 
assembled by an audio or video encoder, the assembled 
encoded bitstream having a syntax, comprising 

selecting data in the assembled encoded bitstream without 
decoding any portion of the assembled bitstream, 
which data is less than all of the data in the bitstream 
and which, if encrypted, would result in a partly- 
encrypted bitstream that does not violate the syntax of 
the assembled encoded bitstream and would render 
reproduced audio or video resuUing from an unde- 
crypted decoding of the party-encrypted bitstream to be 
of degraded quality, and 
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encrypting the selected data in the assembled encoded 
bitstream to provide said partly encrypted bitstream. 

2. A method according to claim 1 wherein said syntax is 
the normal syntax of said encoder for said assembled 
encoded bitstream. 

3. A method for partly encrypting an encoded bitstream 
assembled by an audio or video encoder, the assembled 
encoded bitstream having a syntax, wherein said syntax is a 
modification of the normal syntax of the encoder for said 
assembled encoded bitstream when a partly-encrypted bit- 
stream would violate the normal syntax of the assembled 
encoded bitstream, comprising 

selecting data in the assembled encoded bitstream without 
decoding any portion of the assembled bitstream, 
which data is-less than alLof^the data in the bitstream 
and which, if encrypted, would result in a partly- 
encrypted bitstream that does not violate the modified 
syntax of the assembled encoded bitstream and would 
render reproduced audio or video resulting from an 
undccrypted decoding of the partly-encrypted bitstream 
to be of degraded quality, and 

encrypting the selected data in the assembled encoded 
bitstream to provide said partly encrypted bitstream. 

4. A method according to claim 3 wherein the audio or 
video encoder employs a HufEman coding algorithm and 
wherein said syntax is modified by adding padding bits to 
the bitstream. 



5. A method according to claim 3 wherein the audio or 
video encoder employs a gain adaptive-quantization coding 
algorithm and wherein said syntax is modified by reordering 
bits in the bitstream. 

6. A method according to any one of claims 1-3 wherein 
the data in said assembled encoded bitstream is arranged in 
successive frames and wherein said selecting data in the 
assembled encoded bitstream selects some of the data in one 
or more frames. 

7. The method according to any one of claims 1-3 wherein 
the selected data includes at least part of the data in the 
assembled encoded bitstream having the highest entropy. 

8. The method according to any one of claims 1-3 wherein 
the audio or video encoder is a perceptual encoder such that 
the assembled encoded bitstream data includes^quantized^-' 
frequency coeflBcients of a frequency domain representation 
of the encoded audio or video and wherein the selected data 
includes at least part of the data constituting said quantized 
frequency coeflBcients. 

9. The method according to any one of claims 1-3 wherein 
the audio or video encoder is an entopy-coder type encoder 
such that the assembled encoded bitstream data includes 
entropy coded data comprised of variable length code words 
and wherein the selected data includes at least part of the 
data constituting said entropy coded data. 
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